You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by itay sahar <it...@gmail.com> on 2009/12/05 01:41:28 UTC
Control character in cookie value
Hi all,
I'm using seam on tomcat 6.0.20 and encounter problem in my security module.
Basically, i try to add cookie with base64 encoding of the username which is
email address.
The encoding works and no exception is thrown. But when seam try adding the
cookie an exception is thrown:
05/12/2009 02:23:00 com.sun.faces.lifecycle.Phase doPhase
SEVERE: JSF1054: (Phase ID: INVOKE_APPLICATION 5, View ID: /login.xhtml)
Exception thrown during phase execution:
javax.faces.event.PhaseEvent[source=com.sun.faces.lifecycle.LifecycleImpl@7d5
05/12/2009 02:23:00 org.ajax4jsf.webapp.BaseXMLFilter doXmlFilter
SEVERE: Exception in the filter chain
javax.servlet.ServletException: #{identity.login}:
java.lang.IllegalArgumentException: Control character in cookie value,
consider BASE64 encoding your value
at javax.faces.webapp.FacesServlet.service(FacesServlet.java:277)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at
org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:83)
at
org.jboss.seam.web.IdentityFilter.doFilter(IdentityFilter.java:40)
at
org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
at
org.jboss.seam.web.MultipartFilter.doFilter(MultipartFilter.java:90)
at
org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
at
org.jboss.seam.web.ExceptionFilter.doFilter(ExceptionFilter.java:64)
at
org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
at
org.jboss.seam.web.RedirectFilter.doFilter(RedirectFilter.java:45)
at
org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
at
org.ajax4jsf.webapp.BaseXMLFilter.doXmlFilter(BaseXMLFilter.java:178)
at org.ajax4jsf.webapp.BaseFilter.handleRequest(BaseFilter.java:290)
at
org.ajax4jsf.webapp.BaseFilter.processUploadsAndHandleRequest(BaseFilter.java:390)
at org.ajax4jsf.webapp.BaseFilter.doFilter(BaseFilter.java:517)
at
org.jboss.seam.web.Ajax4jsfFilter.doFilter(Ajax4jsfFilter.java:56)
at
org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
at org.jboss.seam.servlet.SeamFilter.doFilter(SeamFilter.java:158)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293)
at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:849)
at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
at
org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:454)
at java.lang.Thread.run(Thread.java:595)
Caused by: javax.faces.FacesException: #{identity.login}:
java.lang.IllegalArgumentException: Control character in cookie value,
consider BASE64 encoding your value
at
com.sun.faces.application.ActionListenerImpl.processAction(ActionListenerImpl.java:118)
at javax.faces.component.UICommand.broadcast(UICommand.java:387)
at
org.ajax4jsf.component.AjaxViewRoot.processEvents(AjaxViewRoot.java:321)
at
org.ajax4jsf.component.AjaxViewRoot.broadcastEvents(AjaxViewRoot.java:296)
at
org.ajax4jsf.component.AjaxViewRoot.processPhase(AjaxViewRoot.java:253)
at
org.ajax4jsf.component.AjaxViewRoot.processApplication(AjaxViewRoot.java:466)
at
com.sun.faces.lifecycle.InvokeApplicationPhase.execute(InvokeApplicationPhase.java:82)
at com.sun.faces.lifecycle.Phase.doPhase(Phase.java:100)
at
com.sun.faces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:118)
at javax.faces.webapp.FacesServlet.service(FacesServlet.java:265)
... 30 more
Caused by: javax.faces.el.EvaluationException:
java.lang.IllegalArgumentException: Control character in cookie value,
consider BASE64 encoding your value
at
javax.faces.component.MethodBindingMethodExpressionAdapter.invoke(MethodBindingMethodExpressionAdapter.java:102)
at
com.sun.faces.application.ActionListenerImpl.processAction(ActionListenerImpl.java:102)
... 39 more
Caused by: java.lang.IllegalArgumentException: Control character in cookie
value, consider BASE64 encoding your value
at
org.apache.tomcat.util.http.ServerCookie.maybeQuote2(ServerCookie.java:396)
at
org.apache.tomcat.util.http.ServerCookie.maybeQuote2(ServerCookie.java:389)
at
org.apache.tomcat.util.http.ServerCookie.appendCookieValue(ServerCookie.java:293)
at
org.apache.catalina.connector.Response.addCookieInternal(Response.java:1010)
at
org.apache.catalina.connector.Response.addCookieInternal(Response.java:979)
at
org.apache.catalina.connector.Response.addCookie(Response.java:967)
at
org.apache.catalina.connector.ResponseFacade.addCookie(ResponseFacade.java:343)
at
javax.servlet.http.HttpServletResponseWrapper.addCookie(HttpServletResponseWrapper.java:58)
at
org.ajax4jsf.webapp.FilterServletResponseWrapper.addCookie(FilterServletResponseWrapper.java:627)
at
javax.servlet.http.HttpServletResponseWrapper.addCookie(HttpServletResponseWrapper.java:58)
at
org.jboss.seam.faces.Selector.setCookieValueIfEnabled(Selector.java:119)
at
org.jboss.seam.security.RememberMe$UsernameSelector.setCookieValueIfEnabled(RememberMe.java:70)
at
org.jboss.seam.security.RememberMe.postAuthenticate(RememberMe.java:388)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at org.jboss.seam.util.Reflections.invoke(Reflections.java:22)
at
org.jboss.seam.util.Reflections.invokeAndWrap(Reflections.java:144)
at org.jboss.seam.Component.callComponentMethod(Component.java:2253)
at org.jboss.seam.core.Events.raiseEvent(Events.java:85)
at
org.jboss.seam.security.Identity.postAuthenticate(Identity.java:397)
at org.jboss.seam.security.Identity.authenticate(Identity.java:345)
at org.jboss.seam.security.Identity.authenticate(Identity.java:332)
at org.jboss.seam.security.Identity.login(Identity.java:259)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at
org.jboss.el.util.ReflectionUtil.invokeMethod(ReflectionUtil.java:335)
at
org.jboss.el.util.ReflectionUtil.invokeMethod(ReflectionUtil.java:348)
at
org.jboss.el.parser.AstPropertySuffix.invoke(AstPropertySuffix.java:58)
at org.jboss.el.parser.AstValue.invoke(AstValue.java:96)
at
org.jboss.el.MethodExpressionImpl.invoke(MethodExpressionImpl.java:276)
at
com.sun.facelets.el.TagMethodExpression.invoke(TagMethodExpression.java:68)
at
javax.faces.component.MethodBindingMethodExpressionAdapter.invoke(MethodBindingMethodExpressionAdapter.java:88)
... 40 more
See below the seam source:
protected void setCookieValueIfEnabled(String value)
{
FacesContext ctx = FacesContext.getCurrentInstance();
if ( isCookieEnabled() && ctx != null)
{
HttpServletResponse response = (HttpServletResponse)
ctx.getExternalContext().getResponse();
Cookie cookie = new Cookie( getCookieName(), value );
cookie.setMaxAge( getCookieMaxAge() );
cookie.setPath(cookiePath);
* response.addCookie(cookie); //This thrown the
exception*
}
}
Re: Control character in cookie value
Posted by itay sahar <it...@gmail.com>.
This is not my code. It is seam code.
see below the encoding section:
protected String encodeToken(String username, String value)
{
StringBuilder sb = new StringBuilder();
sb.append(username);
sb.append(":");
sb.append(value);
return Base64.encodeBytes(sb.toString().getBytes());
}
On Sat, Dec 5, 2009 at 2:14 PM, André Warnier <aw...@ice-sa.com> wrote:
> itay sahar wrote:
>
>> Hi all,
>>
>> I'm using seam on tomcat 6.0.20 and encounter problem in my security
>> module.
>>
>> Basically, i try to add cookie with base64 encoding of the username which
>> is
>> email address.
>>
>
> The encoding works and no exception is thrown. But when seam try adding
>> the
>> cookie an exception is thrown:
>>
>> 05/12/2009 02:23:00 com.sun.faces.lifecycle.Phase doPhase
>> SEVERE: JSF1054: (Phase ID: INVOKE_APPLICATION 5, View ID: /login.xhtml)
>> Exception thrown during phase execution:
>>
>> javax.faces.event.PhaseEvent[source=com.sun.faces.lifecycle.LifecycleImpl@7d5
>> 05/12/2009 02:23:00 org.ajax4jsf.webapp.BaseXMLFilter doXmlFilter
>> SEVERE: Exception in the filter chain
>> javax.servlet.ServletException: #{identity.login}:
>> java.lang.IllegalArgumentException: Control character in cookie value,
>> consider BASE64 encoding your value
>> at javax.faces.webapp.FacesServlet.service(FacesServlet.java:277)
>>
>
> Obviously, the value of your cookie is /not/ Base-64 encoded.
> I also cannot see in your code where that encoding should take place.
>
> And if the value is really an email address, and if you really do encode it
> somewhere else than in the code you show, then what probably happens is that
> your Base-64 encoded string exceeds 80 characters, and is being wrapped with
> a CR/LF somewhere.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Control character in cookie value
Posted by André Warnier <aw...@ice-sa.com>.
itay sahar wrote:
> Hi all,
>
> I'm using seam on tomcat 6.0.20 and encounter problem in my security module.
>
> Basically, i try to add cookie with base64 encoding of the username which is
> email address.
> The encoding works and no exception is thrown. But when seam try adding the
> cookie an exception is thrown:
>
> 05/12/2009 02:23:00 com.sun.faces.lifecycle.Phase doPhase
> SEVERE: JSF1054: (Phase ID: INVOKE_APPLICATION 5, View ID: /login.xhtml)
> Exception thrown during phase execution:
> javax.faces.event.PhaseEvent[source=com.sun.faces.lifecycle.LifecycleImpl@7d5
> 05/12/2009 02:23:00 org.ajax4jsf.webapp.BaseXMLFilter doXmlFilter
> SEVERE: Exception in the filter chain
> javax.servlet.ServletException: #{identity.login}:
> java.lang.IllegalArgumentException: Control character in cookie value,
> consider BASE64 encoding your value
> at javax.faces.webapp.FacesServlet.service(FacesServlet.java:277)
Obviously, the value of your cookie is /not/ Base-64 encoded.
I also cannot see in your code where that encoding should take place.
And if the value is really an email address, and if you really do encode
it somewhere else than in the code you show, then what probably happens
is that your Base-64 encoded string exceeds 80 characters, and is being
wrapped with a CR/LF somewhere.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Control character in cookie value
Posted by David Fisher <df...@jmlafferty.com>.
>> Christopher Schultz wrote:
>>>
>>> I'm surprised that nobody else has noticed that the control
>>> characters
>>> in question were already posted by Itay... it's just that nobody
>>> bothered to read the error message properly :)
>>
>> And we are quite flabbergasted that you did not peruse the thread
>> carefully, or you would have no doubt noticed that even prior to the
>> actual data showing the Base64 wrapping in its full glory, the reason
>> had been given beforehand.
>
> I did read the thread carefully, and nowhere was it explained why this
> error message was being emitted:
>
> SEVERE: Exception in the filter chain
> javax.servlet.ServletException: #{identity.login}:
> java.lang.IllegalArgumentException: Control character in cookie value,
> consider BASE64 encoding your value
Itay showed it here:
> *After encoding:*
> Base64.encodeBytes(sb.toString().getBytes()) =
>
> aXRheS5zYWhhckBnbWFpbC5jb206LTMzY2RmYjZmOjEyNTZhOTBjOWFjOi04MDAwOjM2Nzg1NzQ1
>
> Base64.encodeBytes(sb.toString().getBytes()).getBytes()
> [97, 88, 82, 104, 101, 83, 53, 122, 89, 87, 104, 104, 99, 107, 66,
> 110, 98,
> 87, 70, 112, 98, 67, 53, 106, 98, 50, 48, 54, 76, 84, 77, 122, 89,
> 50, 82,
> 109, 89, 106, 90, 109, 79, 106, 69, 121, 78, 84, 90, 104, 79, 84,
> 66, 106,
> 79, 87, 70, 106, 79, 105, 48, 52, 77, 68, 65, 119, 79, 106, 77, 50,
> 78, 122,
> 103, 49, 78, 122, 81, 49, 10, 78, 106, 99, 48, 79, 68, 99, 49, 79,
> 68, 89,
> 53, 77, 122, 103, 61]
Note the "10" between the 49 and 78 towards the end.
It was wrapped as André mentioned, and then when Itay did this:
> But look like problem is fixed. I extended the encodeToken method
> and change
> it to be
> return Base64.encodeBytes(sb.toString().getBytes(),
> Base64.DONT_BREAK_LINES);
> And now it works (like a charm)! but i'm not sure it solve all the
> scenarios/possibilities.
This confirmed it for me.
> I never saw any JSP code with the text "#{identity.login}" in it
> anywhere.
>
>> But all is well now, since Itay added the magical no-wrap parameter
>> in
>> his call.
>
> Well, you may have solved /a/ problem, but you either didn't solve the
> originally-reported one, or there were really two problems originally
> reported. It's not clear to me if they are a single issue or two.
Maybe #{identity.login} is a seam artifact?
Anyway an interesting dialog as always on tomcat_user. Thanks.
Regards,
Dave
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAksf+q0ACgkQ9CaO5/Lv0PCJLwCfSV86+GS4htSUowQKjQPmSq86
> 4+8AoItHPDj02Mo+KaDx/kA9pNV1kjoJ
> =8ox5
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Control character in cookie value
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
André,
On 12/9/2009 1:35 PM, André Warnier wrote:
> Chris,
>
> Christopher Schultz wrote:
>>
>> I'm surprised that nobody else has noticed that the control characters
>> in question were already posted by Itay... it's just that nobody
>> bothered to read the error message properly :)
>
> And we are quite flabbergasted that you did not peruse the thread
> carefully, or you would have no doubt noticed that even prior to the
> actual data showing the Base64 wrapping in its full glory, the reason
> had been given beforehand.
I did read the thread carefully, and nowhere was it explained why this
error message was being emitted:
SEVERE: Exception in the filter chain
javax.servlet.ServletException: #{identity.login}:
java.lang.IllegalArgumentException: Control character in cookie value,
consider BASE64 encoding your value
I never saw any JSP code with the text "#{identity.login}" in it anywhere.
> But all is well now, since Itay added the magical no-wrap parameter in
> his call.
Well, you may have solved /a/ problem, but you either didn't solve the
originally-reported one, or there were really two problems originally
reported. It's not clear to me if they are a single issue or two.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAksf+q0ACgkQ9CaO5/Lv0PCJLwCfSV86+GS4htSUowQKjQPmSq86
4+8AoItHPDj02Mo+KaDx/kA9pNV1kjoJ
=8ox5
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Control character in cookie value
Posted by André Warnier <aw...@ice-sa.com>.
Chris,
Christopher Schultz wrote:
>
> I'm surprised that nobody else has noticed that the control characters
> in question were already posted by Itay... it's just that nobody
> bothered to read the error message properly :)
And we are quite flabbergasted that you did not peruse the thread
carefully, or you would have no doubt noticed that even prior to the
actual data showing the Base64 wrapping in its full glory, the reason
had been given beforehand.
But all is well now, since Itay added the magical no-wrap parameter in
his call.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Control character in cookie value
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
André,
On 12/8/2009 6:28 PM, André Warnier wrote:
> So now I can go to sleep peacefully, knowing that these parts of the
> cookie do not in effect contain control characters.
I'm surprised that nobody else has noticed that the control characters
in question were already posted by Itay... it's just that nobody
bothered to read the error message properly :)
I wouldn't be surprised if this problem were transient, and that Itay
has found a situation where his code works by some miracle, and that
he'll run into it again.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAksf3dQACgkQ9CaO5/Lv0PBZsgCgvtAGuJ+fDnrkQhfthNIF9HPn
3xgAn0QddY2jqMMRNq0rZCnJBSrn9Ell
=pAAN
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Control character in cookie value
Posted by André Warnier <aw...@ice-sa.com>.
Itay,
you seem to ignore selective parts of the answers and tips which you are
given, and then rediscover them selectively 3 posts later.
itay sahar wrote:
> Andre,
>
> I'm not sure why you worry about the other cookie value.
Thank you for your concern, but I don't worry too much. It is not my
application, it is yours.
let me show you an
> example
> maybe then you may see something that i'm missing.
>
> getCookieMaxAge() is 31536000
> cookiePath is /jboss-seam-jpa
That's nice ! That is the first time you show us what getCookieMaxAge()
and cookiePath can actually contain.
So now I can go to sleep peacefully, knowing that these parts of the
cookie do not in effect contain control characters.
You see, before now, you were the only person who could know that for sure.
>
> What can be wrong here ? It works!
I am sure that your first version of the application worked fine too, as
long as the email addresses were very short.
> Are you worry about special character on cookiePath. I can make sure
> in my application this won't happen right ?
Right ! The whole point of my note was to point out to you that you
should make sure of it.
Because if you did not make sure of it, then you could have been
unexpectedly hit by yet another control character sometime in the
future. But now that you have taken care of it, I am reassured and happy.
> If you think something is wrong in the methods below please suggest
> solution..
>
The method below looks ok, by itself. My worries were about things used
in the method below, but coming from somewhere else previously unknown,
like getCookieMaxAge() and cookiePath.
> Thanks!
>
>
>
> On Mon, Dec 7, 2009 at 10:42 PM, itay sahar <it...@gmail.com> wrote:
>
>> sure!
>> protected void setCookieValueIfEnabled(String value)
>> {
>> FacesContext ctx = FacesContext.getCurrentInstance();
>>
>> if ( isCookieEnabled() && ctx != null)
>> {
>> HttpServletResponse response = (HttpServletResponse)
>> ctx.getExternalContext().getResponse();
>> Cookie cookie = new Cookie( getCookieName(), value );
>> cookie.setMaxAge( getCookieMaxAge() );
>> cookie.setPath(cookiePath);
>> response.addCookie(cookie);
>> }
>> }
>>
>> On Mon, Dec 7, 2009 at 10:26 PM, André Warnier <aw...@ice-sa.com> wrote:
>>
>>> itay sahar wrote:
>>>
>>>> sure!
>>>> protected void clearCookieValue()
>>>> {
>>>> Cookie cookie = getCookie();
>>>> if ( cookie!=null )
>>>> {
>>>> HttpServletResponse response = (HttpServletResponse)
>>>> FacesContext.getCurrentInstance().getExternalContext().getResponse();
>>>>
>>>> cookie.setValue(null);
>>>> cookie.setPath(cookiePath);
>>>> cookie.setMaxAge(0);
>>>> response.addCookie(cookie);
>>>> }
>>>> }
>>>>
>>> That's not the code setting the cookie, it is code clearing a cookie
>>> value. But nevertheless..
>>>
>>>
>>> But look like problem is fixed. I extended the encodeToken method and
>>>> change
>>>> it to be
>>>> return Base64.encodeBytes(sb.toString().getBytes(),
>>>> Base64.DONT_BREAK_LINES);
>>>> And now it works (like a charm)!
>>>>
>>> And may I point you to a remark from quite a few posts ago, which went
>>> like :
>>> ...
>>> --quote--
>>>
>>> Except that some Base64 encoders, in some cases, will "wrap" the output
>>> string at 76 bytes, by inserting a CR/LF pair, which are both "control
>>> characters". (Note that the output string of Base64 is longer than the
>>> input string, since it encodes 3 consecutive input bytes into 4 output
>>> bytes.)
>>> My guess is that this is what happens here, and that could trigger the
>>> exception above.
>>> Maybe this Base64.encodeBytes() method has an optional argument which
>>> would tell it to not wrap the output value ?
>>> --end of quote--
>>>
>>>
>>>> but i'm not sure it solve all the
>>>> scenarios/possibilities.
>>> No, as also already pointed out, considering the code you posted before, a
>>> control character could also creep into cookiePath or getCookieMaxAge().
>>>
>>> Also read what Mark posted previously, about possible "=" signs getting
>>> into the Base64 encoded value (at the end, for padding).
>>>
>>>
>>> ---------------------------------------------------------------------
>>>
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Control character in cookie value
Posted by itay sahar <it...@gmail.com>.
Andre,
I'm not sure why you worry about the other cookie value. let me show you an
example
maybe then you may see something that i'm missing.
getCookieMaxAge() is 31536000
cookiePath is /jboss-seam-jpa
What can be wrong here ? It works!
Are you worry about special character on cookiePath. I can make sure
in my application this won't happen right ?
If you think something is wrong in the methods below please suggest
solution..
Thanks!
On Mon, Dec 7, 2009 at 10:42 PM, itay sahar <it...@gmail.com> wrote:
> sure!
> protected void setCookieValueIfEnabled(String value)
> {
> FacesContext ctx = FacesContext.getCurrentInstance();
>
> if ( isCookieEnabled() && ctx != null)
> {
> HttpServletResponse response = (HttpServletResponse)
> ctx.getExternalContext().getResponse();
> Cookie cookie = new Cookie( getCookieName(), value );
> cookie.setMaxAge( getCookieMaxAge() );
> cookie.setPath(cookiePath);
> response.addCookie(cookie);
> }
> }
>
> On Mon, Dec 7, 2009 at 10:26 PM, André Warnier <aw...@ice-sa.com> wrote:
>
>> itay sahar wrote:
>>
>>> sure!
>>> protected void clearCookieValue()
>>> {
>>> Cookie cookie = getCookie();
>>> if ( cookie!=null )
>>> {
>>> HttpServletResponse response = (HttpServletResponse)
>>> FacesContext.getCurrentInstance().getExternalContext().getResponse();
>>>
>>> cookie.setValue(null);
>>> cookie.setPath(cookiePath);
>>> cookie.setMaxAge(0);
>>> response.addCookie(cookie);
>>> }
>>> }
>>>
>>
>> That's not the code setting the cookie, it is code clearing a cookie
>> value. But nevertheless..
>>
>>
>> But look like problem is fixed. I extended the encodeToken method and
>>> change
>>> it to be
>>> return Base64.encodeBytes(sb.toString().getBytes(),
>>> Base64.DONT_BREAK_LINES);
>>> And now it works (like a charm)!
>>>
>>
>> And may I point you to a remark from quite a few posts ago, which went
>> like :
>> ...
>> --quote--
>>
>> Except that some Base64 encoders, in some cases, will "wrap" the output
>> string at 76 bytes, by inserting a CR/LF pair, which are both "control
>> characters". (Note that the output string of Base64 is longer than the
>> input string, since it encodes 3 consecutive input bytes into 4 output
>> bytes.)
>> My guess is that this is what happens here, and that could trigger the
>> exception above.
>> Maybe this Base64.encodeBytes() method has an optional argument which
>> would tell it to not wrap the output value ?
>> --end of quote--
>>
>>
>> > but i'm not sure it solve all the
>> > scenarios/possibilities.
>>
>> No, as also already pointed out, considering the code you posted before, a
>> control character could also creep into cookiePath or getCookieMaxAge().
>>
>> Also read what Mark posted previously, about possible "=" signs getting
>> into the Base64 encoded value (at the end, for padding).
>>
>>
>> ---------------------------------------------------------------------
>>
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>
Re: Control character in cookie value
Posted by itay sahar <it...@gmail.com>.
sure!
protected void setCookieValueIfEnabled(String value)
{
FacesContext ctx = FacesContext.getCurrentInstance();
if ( isCookieEnabled() && ctx != null)
{
HttpServletResponse response = (HttpServletResponse)
ctx.getExternalContext().getResponse();
Cookie cookie = new Cookie( getCookieName(), value );
cookie.setMaxAge( getCookieMaxAge() );
cookie.setPath(cookiePath);
response.addCookie(cookie);
}
}
On Mon, Dec 7, 2009 at 10:26 PM, André Warnier <aw...@ice-sa.com> wrote:
> itay sahar wrote:
>
>> sure!
>> protected void clearCookieValue()
>> {
>> Cookie cookie = getCookie();
>> if ( cookie!=null )
>> {
>> HttpServletResponse response = (HttpServletResponse)
>> FacesContext.getCurrentInstance().getExternalContext().getResponse();
>>
>> cookie.setValue(null);
>> cookie.setPath(cookiePath);
>> cookie.setMaxAge(0);
>> response.addCookie(cookie);
>> }
>> }
>>
>
> That's not the code setting the cookie, it is code clearing a cookie value.
> But nevertheless..
>
>
> But look like problem is fixed. I extended the encodeToken method and
>> change
>> it to be
>> return Base64.encodeBytes(sb.toString().getBytes(),
>> Base64.DONT_BREAK_LINES);
>> And now it works (like a charm)!
>>
>
> And may I point you to a remark from quite a few posts ago, which went like
> :
> ...
> --quote--
>
> Except that some Base64 encoders, in some cases, will "wrap" the output
> string at 76 bytes, by inserting a CR/LF pair, which are both "control
> characters". (Note that the output string of Base64 is longer than the
> input string, since it encodes 3 consecutive input bytes into 4 output
> bytes.)
> My guess is that this is what happens here, and that could trigger the
> exception above.
> Maybe this Base64.encodeBytes() method has an optional argument which would
> tell it to not wrap the output value ?
> --end of quote--
>
>
> > but i'm not sure it solve all the
> > scenarios/possibilities.
>
> No, as also already pointed out, considering the code you posted before, a
> control character could also creep into cookiePath or getCookieMaxAge().
>
> Also read what Mark posted previously, about possible "=" signs getting
> into the Base64 encoded value (at the end, for padding).
>
>
> ---------------------------------------------------------------------
>
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Control character in cookie value
Posted by André Warnier <aw...@ice-sa.com>.
itay sahar wrote:
> sure!
> protected void clearCookieValue()
> {
> Cookie cookie = getCookie();
> if ( cookie!=null )
> {
> HttpServletResponse response = (HttpServletResponse)
> FacesContext.getCurrentInstance().getExternalContext().getResponse();
>
> cookie.setValue(null);
> cookie.setPath(cookiePath);
> cookie.setMaxAge(0);
> response.addCookie(cookie);
> }
> }
That's not the code setting the cookie, it is code clearing a cookie
value. But nevertheless..
> But look like problem is fixed. I extended the encodeToken method and change
> it to be
> return Base64.encodeBytes(sb.toString().getBytes(),
> Base64.DONT_BREAK_LINES);
> And now it works (like a charm)!
And may I point you to a remark from quite a few posts ago, which went
like :
...
--quote--
Except that some Base64 encoders, in some cases, will "wrap" the output
string at 76 bytes, by inserting a CR/LF pair, which are both "control
characters". (Note that the output string of Base64 is longer than the
input string, since it encodes 3 consecutive input bytes into 4 output
bytes.)
My guess is that this is what happens here, and that could trigger the
exception above.
Maybe this Base64.encodeBytes() method has an optional argument which
would tell it to not wrap the output value ?
--end of quote--
> but i'm not sure it solve all the
> scenarios/possibilities.
No, as also already pointed out, considering the code you posted before,
a control character could also creep into cookiePath or getCookieMaxAge().
Also read what Mark posted previously, about possible "=" signs getting
into the Base64 encoded value (at the end, for padding).
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Control character in cookie value
Posted by itay sahar <it...@gmail.com>.
sure!
protected void clearCookieValue()
{
Cookie cookie = getCookie();
if ( cookie!=null )
{
HttpServletResponse response = (HttpServletResponse)
FacesContext.getCurrentInstance().getExternalContext().getResponse();
cookie.setValue(null);
cookie.setPath(cookiePath);
cookie.setMaxAge(0);
response.addCookie(cookie);
}
}
But look like problem is fixed. I extended the encodeToken method and change
it to be
return Base64.encodeBytes(sb.toString().getBytes(),
Base64.DONT_BREAK_LINES);
And now it works (like a charm)! but i'm not sure it solve all the
scenarios/possibilities.
On Mon, Dec 7, 2009 at 9:47 PM, Pid Ster <pi...@pidster.com> wrote:
> On 7 Dec 2009, at 19:26, itay sahar <it...@gmail.com> wrote:
>
> > I add log for the following method:
> >
> > protected String encodeToken(String username, String value)
> > {
> > StringBuilder sb = new StringBuilder();
> > sb.append(username);
> > sb.append(":");
> > sb.append(value);
> > return Base64.encodeBytes(sb.toString().getBytes());
> > }
> > *Before encoding:*
> > sb.toString().getBytes() =
> > [105, 116, 97, 121, 46, 115, 97, 104, 97, 114, 64, 103, 109, 97,
> > 105, 108,
> > 46, 99, 111, 109, 58, 45, 51, 51, 99, 100, 102, 98, 54, 102, 58, 49,
> > 50, 53,
> > 54, 97, 57, 48, 99, 57, 97, 99, 58, 45, 56, 48, 48, 48, 58, 51, 54,
> > 55, 56,
> > 53, 55, 52, 53, 54, 55, 52, 56, 55, 53, 56, 54, 57, 51, 56]
> >
> > *After encoding:*
> > Base64.encodeBytes(sb.toString().getBytes()) =
> >
> >
> aXRheS5zYWhhckBnbWFpbC5jb206LTMzY2RmYjZmOjEyNTZhOTBjOWFjOi04MDAwOjM2Nzg1NzQ1
>
>
> >
> > Base64.encodeBytes(sb.toString().getBytes()).getBytes()
> > [97, 88, 82, 104, 101, 83, 53, 122, 89, 87, 104, 104, 99, 107, 66,
> > 110, 98,
> > 87, 70, 112, 98, 67, 53, 106, 98, 50, 48, 54, 76, 84, 77, 122, 89,
> > 50, 82,
> > 109, 89, 106, 90, 109, 79, 106, 69, 121, 78, 84, 90, 104, 79, 84,
> > 66, 106,
> > 79, 87, 70, 106, 79, 105, 48, 52, 77, 68, 65, 119, 79, 106, 77, 50,
> > 78, 122,
> > 103, 49, 78, 122, 81, 49, 10, 78, 106, 99, 48, 79, 68, 99, 49, 79,
> > 68, 89,
> > 53, 77, 122, 103, 61]
> >
> > Please note that any change in the above might affect the decoder.
> > Thanks!
>
> This is nice, but what does it prove?
>
> How about posting the bit of code where you create and set the cookie?
>
> Then we might see what you're doing wrong.
>
> p
>
> > On Mon, Dec 7, 2009 at 3:04 PM, itay sahar <it...@gmail.com>
> > wrote:
> >
> >> Thanks André,
> >> *
> >> *
> >> *I agree with you about the doubt you have about the ":" being in C
> >> (after
> >> encoding).*
> >> return Base64.encodeBytes(sb.toString().getBytes());
> >> *I guess you suggest to log somthing like *
> >> *(new String(C)).getBytes ? If yes I post it here later. I hope you
> >> can
> >> then suggest somthing to sove this.*
> >>
> >>
> >> On Mon, Dec 7, 2009 at 1:57 PM, André Warnier <aw...@ice-sa.com> wrote:
> >>
> >>> itay sahar wrote:
> >>>
> >>>> Pid,
> >>>> I'm not using B as the cookie value. A & B go to encode and
> >>>> finally you
> >>>> have *one *value(C). this value
> >>>> is sent to addCookie.
> >>>>
> >>>> C is somthing like:
> >>>>
> >>>>
> aXRheS5zYWhhckBnbWFpbC5jb206NmRlNWNhNGY6MTI1NGM0NjExMTA6LTdmZWI6OTEzNTQ4NjI0
>
>
> >>>>
> >>>
> >>> Ok, let's take this at face value.
> >>>
> >>> So yet, you are still getting an exception, which says that there
> >>> is a
> >>> "control character" in the value of the cookie which you are
> >>> trying to add.
> >>>
> >>> Let's assume for now that the addCookie method itself has no bug,
> >>> and that
> >>> what it says in the exception is the truth.
> >>>
> >>> It also does not look (in these email communications), as if your
> >>> value C
> >>> above has a "control character" in it.
> >>>
> >>> (But note : there still could be one, that we do not see here in
> >>> these
> >>> emails. For example, if the value C above was in reality ending
> >>> in a CR/LF
> >>> pair. Apart from the string C itself above, you should maybe also
> >>> log its
> >>> length in bytes, so that we can really make sure that this is not
> >>> the case).
> >>>
> >>> Then, if I remember well the code which really adds the cookie
> >>> (and which
> >>> is not the one shown below), independently of the "value", there
> >>> is also in
> >>> these cookies an expiration date, and a path, which you add to the
> >>> cookie
> >>> string one by one.
> >>> So really, when you do the addCookie, what you do is creating a
> >>> cookie
> >>> header which looks like :
> >>> Set-Cookie: cookie-name=cookie-value
> >>> (C);expires=somedate;path=somepath
> >>>
> >>> Any one of "somedate" or "somepath" could (potentially) contain a
> >>> control
> >>> character, and the exception would only show up when you actually
> >>> do the
> >>> addCookie() of the whole value (including expiration date and
> >>> path) at once.
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>> On Mon, Dec 7, 2009 at 12:16 PM, Pid <pi...@pidster.com> wrote:
> >>>>
> >>>> On 06/12/2009 21:51, itay sahar wrote:
> >>>>>
> >>>>> Hi Andre,
> >>>>>>
> >>>>>> please see below input and output of:
> >>>>>> protected String encodeToken(String username, String value)
> >>>>>> {
> >>>>>> StringBuilder sb = new StringBuilder();
> >>>>>> sb.append(username);
> >>>>>> sb.append(":");
> >>>>>> sb.append(value);
> >>>>>> return Base64.encodeBytes(sb.toString().getBytes());
> >>>>>> }
> >>>>>>
> >>>>>> Input is:
> >>>>>>
> >>>>>> username= itay.sahar@gmial.com
> >>>>>> value= 6de5ca4f:1254c461110:-7feb:9135486247122677484
> >>>>>>
> >>>>>> Output is (this is what actually addCookie get as parameter):
> >>>>>>
> >>>>>> 6de5ca4f:1254c461110:-7feb:9135486247122677484
> >>>>>>
> >>>>>> Can you suggest solution ?
> >>>>>>
> >>>>>> Yep.
> >>>>>
> >>>>> You are claiming that you are supplying A & B to the encodeToken
> >>>>> function,
> >>>>> but then you are using B as the cookie value.
> >>>>>
> >>>>> Try using the value returned from the encodeToken function
> >>>>> instead.
> >>>>> Hint, if it contains a ":" character, it's not Base64 encoded.
> >>>>>
> >>>>>
> >>>>>
> >>>>> p
> >>>>>
> >>>>>
> >>>>> On Sun, Dec 6, 2009 at 11:28 PM, itay sahar<it...@gmail.com>
> >>>>> wrote:
> >>>>>
> >>>>>> Hi Andre,
> >>>>>>
> >>>>>>> please see below input and output of:
> >>>>>>> protected String encodeToken(String username, String value)
> >>>>>>> {
> >>>>>>> StringBuilder sb = new StringBuilder();
> >>>>>>> sb.append(username);
> >>>>>>> sb.append(":");
> >>>>>>> sb.append(value);
> >>>>>>> return Base64.encodeBytes(sb.toString().getBytes());
> >>>>>>> }
> >>>>>>>
> >>>>>>> Input is:
> >>>>>>>
> >>>>>>> username= itay.sahar@gmial.com
> >>>>>>>
> >>>>>>> value= 6de5ca4f:1254c461110:-7feb:9135486247122677484
> >>>>>>>
> >>>>>>>
> >>>>>>> Output is:
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> aXRheS5zYWhhckBnbWFpbC5jb206NmRlNWNhNGY6MTI1NGM0NjExMTA6LTdmZWI6OTEzNTQ4NjI0
>
>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>> Can you suggest solution ?
> >>>>>>>
> >>>>>>> On Sat, Dec 5, 2009 at 6:20 PM, André Warnier<aw@ice-sa.
> >>>>>>> com> wrote:
> >>>>>>>
> >>>>>>> Mark Thomas wrote:
> >>>>>>>
> >>>>>>>> itay sahar wrote:
> >>>>>>>>
> >>>>>>>>> Caused by: java.lang.IllegalArgumentException: Control
> >>>>>>>>> character in
> >>>>>>>>>
> >>>>>>>>>> cookie
> >>>>>>>>>> value, consider BASE64 encoding your value
> >>>>>>>>>> at
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>> org.apache.tomcat.util.http.ServerCookie.maybeQuote2
> >>>>>>>>>> (ServerCookie.java:396)
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>> To cause this, there must be a character in the value with an
> >>>>>>>>> ASCII
> >>>>>>>>> code
> >>>>>>>>> of less than 0x20 or greater or equal to 0x7f and is not 0x09.
> >>>>>>>>>
> >>>>>>>>> You need to fix that first.
> >>>>>>>>>
> >>>>>>>>> Then you'll need to worry about Base64 using '=' in cookie
> >>>>>>>>> values.
> >>>>>>>>> The
> >>>>>>>>> value needs to be quoted for this to work. Tomcat will do this
> >>>>>>>>> automatically if necessary.
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>> Mark above is talking about the output value of the Base64
> >>>>>>>>> encoder
> >>>>>>>>>
> >>>>>>>> which
> >>>>>>>> you are using, and which you then feed to the
> >>>>>>>> response.addCookie(cookie)
> >>>>>>>> method.
> >>>>>>>>
> >>>>>>>> It is not clear (to me) where the used Base64.encodeBytes()
> >>>>>>>> method
> >>>>>>>> comes
> >>>>>>>> from. But wherever it comes from, it should encode any input
> >>>>>>>> series
> >>>>>>>> of
> >>>>>>>> bytes according to
> >>>>>>>> http://tools.ietf.org/html/rfc3548#section-3
> >>>>>>>> which cannot produce "control characters".
> >>>>>>>> Except that some Base64 encoders, in some cases, will "wrap"
> >>>>>>>> the
> >>>>>>>> output
> >>>>>>>> string at 76 bytes, by inserting a CR/LF pair, which are both
> >>>>>>>> "control
> >>>>>>>> characters". (Note that the output string of Base64 is
> >>>>>>>> longer than
> >>>>>>>> the
> >>>>>>>> input string, since it encodes 3 consecutive input bytes into 4
> >>>>>>>> output
> >>>>>>>> bytes.)
> >>>>>>>> My guess is that this is what happens here, and that could
> >>>>>>>> trigger
> >>>>>>>> the
> >>>>>>>> exception above.
> >>>>>>>> Maybe this Base64.encodeBytes() method has an optional
> >>>>>>>> argument which
> >>>>>>>> would tell it to not wrap the output value ?
> >>>>>>>>
> >>>>>>>> Note also that with the code you were showing, the control
> >>>>>>>> character(s)
> >>>>>>>> could presumably be also in "cookiePath".
> >>>>>>>>
> >>>>>>>> Why do you not log the cookie value, just before you call
> >>>>>>>> setCookieValueIfEnabled(String value) ?
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> ---
> >>>>>>>> ---
> >>>>>>>> ---------------------------------------------------------------
> >>>>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >>>>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> ---
> >>>>>>>> ---
> >>>>>>>> ---------------------------------------------------------------
> >>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >>>>> For additional commands, e-mail: users-help@tomcat.apache.org
> >>>>>
> >>>>>
> >>>>>
> >>>>
> >>>
> >>> ---
> >>> ------------------------------------------------------------------
> >>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >>> For additional commands, e-mail: users-help@tomcat.apache.org
> >>>
> >>>
> >>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Control character in cookie value
Posted by Pid Ster <pi...@pidster.com>.
On 7 Dec 2009, at 19:26, itay sahar <it...@gmail.com> wrote:
> I add log for the following method:
>
> protected String encodeToken(String username, String value)
> {
> StringBuilder sb = new StringBuilder();
> sb.append(username);
> sb.append(":");
> sb.append(value);
> return Base64.encodeBytes(sb.toString().getBytes());
> }
> *Before encoding:*
> sb.toString().getBytes() =
> [105, 116, 97, 121, 46, 115, 97, 104, 97, 114, 64, 103, 109, 97,
> 105, 108,
> 46, 99, 111, 109, 58, 45, 51, 51, 99, 100, 102, 98, 54, 102, 58, 49,
> 50, 53,
> 54, 97, 57, 48, 99, 57, 97, 99, 58, 45, 56, 48, 48, 48, 58, 51, 54,
> 55, 56,
> 53, 55, 52, 53, 54, 55, 52, 56, 55, 53, 56, 54, 57, 51, 56]
>
> *After encoding:*
> Base64.encodeBytes(sb.toString().getBytes()) =
>
> aXRheS5zYWhhckBnbWFpbC5jb206LTMzY2RmYjZmOjEyNTZhOTBjOWFjOi04MDAwOjM2Nzg1NzQ1
>
> Base64.encodeBytes(sb.toString().getBytes()).getBytes()
> [97, 88, 82, 104, 101, 83, 53, 122, 89, 87, 104, 104, 99, 107, 66,
> 110, 98,
> 87, 70, 112, 98, 67, 53, 106, 98, 50, 48, 54, 76, 84, 77, 122, 89,
> 50, 82,
> 109, 89, 106, 90, 109, 79, 106, 69, 121, 78, 84, 90, 104, 79, 84,
> 66, 106,
> 79, 87, 70, 106, 79, 105, 48, 52, 77, 68, 65, 119, 79, 106, 77, 50,
> 78, 122,
> 103, 49, 78, 122, 81, 49, 10, 78, 106, 99, 48, 79, 68, 99, 49, 79,
> 68, 89,
> 53, 77, 122, 103, 61]
>
> Please note that any change in the above might affect the decoder.
> Thanks!
This is nice, but what does it prove?
How about posting the bit of code where you create and set the cookie?
Then we might see what you're doing wrong.
p
> On Mon, Dec 7, 2009 at 3:04 PM, itay sahar <it...@gmail.com>
> wrote:
>
>> Thanks André,
>> *
>> *
>> *I agree with you about the doubt you have about the ":" being in C
>> (after
>> encoding).*
>> return Base64.encodeBytes(sb.toString().getBytes());
>> *I guess you suggest to log somthing like *
>> *(new String(C)).getBytes ? If yes I post it here later. I hope you
>> can
>> then suggest somthing to sove this.*
>>
>>
>> On Mon, Dec 7, 2009 at 1:57 PM, André Warnier <aw...@ice-sa.com> wrote:
>>
>>> itay sahar wrote:
>>>
>>>> Pid,
>>>> I'm not using B as the cookie value. A & B go to encode and
>>>> finally you
>>>> have *one *value(C). this value
>>>> is sent to addCookie.
>>>>
>>>> C is somthing like:
>>>>
>>>> aXRheS5zYWhhckBnbWFpbC5jb206NmRlNWNhNGY6MTI1NGM0NjExMTA6LTdmZWI6OTEzNTQ4NjI0
>>>>
>>>
>>> Ok, let's take this at face value.
>>>
>>> So yet, you are still getting an exception, which says that there
>>> is a
>>> "control character" in the value of the cookie which you are
>>> trying to add.
>>>
>>> Let's assume for now that the addCookie method itself has no bug,
>>> and that
>>> what it says in the exception is the truth.
>>>
>>> It also does not look (in these email communications), as if your
>>> value C
>>> above has a "control character" in it.
>>>
>>> (But note : there still could be one, that we do not see here in
>>> these
>>> emails. For example, if the value C above was in reality ending
>>> in a CR/LF
>>> pair. Apart from the string C itself above, you should maybe also
>>> log its
>>> length in bytes, so that we can really make sure that this is not
>>> the case).
>>>
>>> Then, if I remember well the code which really adds the cookie
>>> (and which
>>> is not the one shown below), independently of the "value", there
>>> is also in
>>> these cookies an expiration date, and a path, which you add to the
>>> cookie
>>> string one by one.
>>> So really, when you do the addCookie, what you do is creating a
>>> cookie
>>> header which looks like :
>>> Set-Cookie: cookie-name=cookie-value
>>> (C);expires=somedate;path=somepath
>>>
>>> Any one of "somedate" or "somepath" could (potentially) contain a
>>> control
>>> character, and the exception would only show up when you actually
>>> do the
>>> addCookie() of the whole value (including expiration date and
>>> path) at once.
>>>
>>>
>>>
>>>
>>>
>>>
>>>> On Mon, Dec 7, 2009 at 12:16 PM, Pid <pi...@pidster.com> wrote:
>>>>
>>>> On 06/12/2009 21:51, itay sahar wrote:
>>>>>
>>>>> Hi Andre,
>>>>>>
>>>>>> please see below input and output of:
>>>>>> protected String encodeToken(String username, String value)
>>>>>> {
>>>>>> StringBuilder sb = new StringBuilder();
>>>>>> sb.append(username);
>>>>>> sb.append(":");
>>>>>> sb.append(value);
>>>>>> return Base64.encodeBytes(sb.toString().getBytes());
>>>>>> }
>>>>>>
>>>>>> Input is:
>>>>>>
>>>>>> username= itay.sahar@gmial.com
>>>>>> value= 6de5ca4f:1254c461110:-7feb:9135486247122677484
>>>>>>
>>>>>> Output is (this is what actually addCookie get as parameter):
>>>>>>
>>>>>> 6de5ca4f:1254c461110:-7feb:9135486247122677484
>>>>>>
>>>>>> Can you suggest solution ?
>>>>>>
>>>>>> Yep.
>>>>>
>>>>> You are claiming that you are supplying A & B to the encodeToken
>>>>> function,
>>>>> but then you are using B as the cookie value.
>>>>>
>>>>> Try using the value returned from the encodeToken function
>>>>> instead.
>>>>> Hint, if it contains a ":" character, it's not Base64 encoded.
>>>>>
>>>>>
>>>>>
>>>>> p
>>>>>
>>>>>
>>>>> On Sun, Dec 6, 2009 at 11:28 PM, itay sahar<it...@gmail.com>
>>>>> wrote:
>>>>>
>>>>>> Hi Andre,
>>>>>>
>>>>>>> please see below input and output of:
>>>>>>> protected String encodeToken(String username, String value)
>>>>>>> {
>>>>>>> StringBuilder sb = new StringBuilder();
>>>>>>> sb.append(username);
>>>>>>> sb.append(":");
>>>>>>> sb.append(value);
>>>>>>> return Base64.encodeBytes(sb.toString().getBytes());
>>>>>>> }
>>>>>>>
>>>>>>> Input is:
>>>>>>>
>>>>>>> username= itay.sahar@gmial.com
>>>>>>>
>>>>>>> value= 6de5ca4f:1254c461110:-7feb:9135486247122677484
>>>>>>>
>>>>>>>
>>>>>>> Output is:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> aXRheS5zYWhhckBnbWFpbC5jb206NmRlNWNhNGY6MTI1NGM0NjExMTA6LTdmZWI6OTEzNTQ4NjI0
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Can you suggest solution ?
>>>>>>>
>>>>>>> On Sat, Dec 5, 2009 at 6:20 PM, André Warnier<aw@ice-sa.
>>>>>>> com> wrote:
>>>>>>>
>>>>>>> Mark Thomas wrote:
>>>>>>>
>>>>>>>> itay sahar wrote:
>>>>>>>>
>>>>>>>>> Caused by: java.lang.IllegalArgumentException: Control
>>>>>>>>> character in
>>>>>>>>>
>>>>>>>>>> cookie
>>>>>>>>>> value, consider BASE64 encoding your value
>>>>>>>>>> at
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> org.apache.tomcat.util.http.ServerCookie.maybeQuote2
>>>>>>>>>> (ServerCookie.java:396)
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> To cause this, there must be a character in the value with an
>>>>>>>>> ASCII
>>>>>>>>> code
>>>>>>>>> of less than 0x20 or greater or equal to 0x7f and is not 0x09.
>>>>>>>>>
>>>>>>>>> You need to fix that first.
>>>>>>>>>
>>>>>>>>> Then you'll need to worry about Base64 using '=' in cookie
>>>>>>>>> values.
>>>>>>>>> The
>>>>>>>>> value needs to be quoted for this to work. Tomcat will do this
>>>>>>>>> automatically if necessary.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Mark above is talking about the output value of the Base64
>>>>>>>>> encoder
>>>>>>>>>
>>>>>>>> which
>>>>>>>> you are using, and which you then feed to the
>>>>>>>> response.addCookie(cookie)
>>>>>>>> method.
>>>>>>>>
>>>>>>>> It is not clear (to me) where the used Base64.encodeBytes()
>>>>>>>> method
>>>>>>>> comes
>>>>>>>> from. But wherever it comes from, it should encode any input
>>>>>>>> series
>>>>>>>> of
>>>>>>>> bytes according to
>>>>>>>> http://tools.ietf.org/html/rfc3548#section-3
>>>>>>>> which cannot produce "control characters".
>>>>>>>> Except that some Base64 encoders, in some cases, will "wrap"
>>>>>>>> the
>>>>>>>> output
>>>>>>>> string at 76 bytes, by inserting a CR/LF pair, which are both
>>>>>>>> "control
>>>>>>>> characters". (Note that the output string of Base64 is
>>>>>>>> longer than
>>>>>>>> the
>>>>>>>> input string, since it encodes 3 consecutive input bytes into 4
>>>>>>>> output
>>>>>>>> bytes.)
>>>>>>>> My guess is that this is what happens here, and that could
>>>>>>>> trigger
>>>>>>>> the
>>>>>>>> exception above.
>>>>>>>> Maybe this Base64.encodeBytes() method has an optional
>>>>>>>> argument which
>>>>>>>> would tell it to not wrap the output value ?
>>>>>>>>
>>>>>>>> Note also that with the code you were showing, the control
>>>>>>>> character(s)
>>>>>>>> could presumably be also in "cookiePath".
>>>>>>>>
>>>>>>>> Why do you not log the cookie value, just before you call
>>>>>>>> setCookieValueIfEnabled(String value) ?
>>>>>>>>
>>>>>>>>
>>>>>>>> ---
>>>>>>>> ---
>>>>>>>> ---------------------------------------------------------------
>>>>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> ---
>>>>>>>> ---
>>>>>>>> ---------------------------------------------------------------
>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>
>>>>>
>>>>>
>>>>
>>>
>>> ---
>>> ------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>>
>>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Control character in cookie value
Posted by itay sahar <it...@gmail.com>.
I add log for the following method:
protected String encodeToken(String username, String value)
{
StringBuilder sb = new StringBuilder();
sb.append(username);
sb.append(":");
sb.append(value);
return Base64.encodeBytes(sb.toString().getBytes());
}
*Before encoding:*
sb.toString().getBytes() =
[105, 116, 97, 121, 46, 115, 97, 104, 97, 114, 64, 103, 109, 97, 105, 108,
46, 99, 111, 109, 58, 45, 51, 51, 99, 100, 102, 98, 54, 102, 58, 49, 50, 53,
54, 97, 57, 48, 99, 57, 97, 99, 58, 45, 56, 48, 48, 48, 58, 51, 54, 55, 56,
53, 55, 52, 53, 54, 55, 52, 56, 55, 53, 56, 54, 57, 51, 56]
*After encoding:*
Base64.encodeBytes(sb.toString().getBytes()) =
aXRheS5zYWhhckBnbWFpbC5jb206LTMzY2RmYjZmOjEyNTZhOTBjOWFjOi04MDAwOjM2Nzg1NzQ1
Base64.encodeBytes(sb.toString().getBytes()).getBytes()
[97, 88, 82, 104, 101, 83, 53, 122, 89, 87, 104, 104, 99, 107, 66, 110, 98,
87, 70, 112, 98, 67, 53, 106, 98, 50, 48, 54, 76, 84, 77, 122, 89, 50, 82,
109, 89, 106, 90, 109, 79, 106, 69, 121, 78, 84, 90, 104, 79, 84, 66, 106,
79, 87, 70, 106, 79, 105, 48, 52, 77, 68, 65, 119, 79, 106, 77, 50, 78, 122,
103, 49, 78, 122, 81, 49, 10, 78, 106, 99, 48, 79, 68, 99, 49, 79, 68, 89,
53, 77, 122, 103, 61]
Please note that any change in the above might affect the decoder.
Thanks!
On Mon, Dec 7, 2009 at 3:04 PM, itay sahar <it...@gmail.com> wrote:
> Thanks André,
> *
> *
> *I agree with you about the doubt you have about the ":" being in C (after
> encoding).*
> return Base64.encodeBytes(sb.toString().getBytes());
> *I guess you suggest to log somthing like *
> *(new String(C)).getBytes ? If yes I post it here later. I hope you can
> then suggest somthing to sove this.*
>
>
> On Mon, Dec 7, 2009 at 1:57 PM, André Warnier <aw...@ice-sa.com> wrote:
>
>> itay sahar wrote:
>>
>>> Pid,
>>> I'm not using B as the cookie value. A & B go to encode and finally you
>>> have *one *value(C). this value
>>> is sent to addCookie.
>>>
>>> C is somthing like:
>>>
>>> aXRheS5zYWhhckBnbWFpbC5jb206NmRlNWNhNGY6MTI1NGM0NjExMTA6LTdmZWI6OTEzNTQ4NjI0
>>>
>>
>> Ok, let's take this at face value.
>>
>> So yet, you are still getting an exception, which says that there is a
>> "control character" in the value of the cookie which you are trying to add.
>>
>> Let's assume for now that the addCookie method itself has no bug, and that
>> what it says in the exception is the truth.
>>
>> It also does not look (in these email communications), as if your value C
>> above has a "control character" in it.
>>
>> (But note : there still could be one, that we do not see here in these
>> emails. For example, if the value C above was in reality ending in a CR/LF
>> pair. Apart from the string C itself above, you should maybe also log its
>> length in bytes, so that we can really make sure that this is not the case).
>>
>> Then, if I remember well the code which really adds the cookie (and which
>> is not the one shown below), independently of the "value", there is also in
>> these cookies an expiration date, and a path, which you add to the cookie
>> string one by one.
>> So really, when you do the addCookie, what you do is creating a cookie
>> header which looks like :
>> Set-Cookie: cookie-name=cookie-value(C);expires=somedate;path=somepath
>>
>> Any one of "somedate" or "somepath" could (potentially) contain a control
>> character, and the exception would only show up when you actually do the
>> addCookie() of the whole value (including expiration date and path) at once.
>>
>>
>>
>>
>>
>>
>>> On Mon, Dec 7, 2009 at 12:16 PM, Pid <pi...@pidster.com> wrote:
>>>
>>> On 06/12/2009 21:51, itay sahar wrote:
>>>>
>>>> Hi Andre,
>>>>>
>>>>> please see below input and output of:
>>>>> protected String encodeToken(String username, String value)
>>>>> {
>>>>> StringBuilder sb = new StringBuilder();
>>>>> sb.append(username);
>>>>> sb.append(":");
>>>>> sb.append(value);
>>>>> return Base64.encodeBytes(sb.toString().getBytes());
>>>>> }
>>>>>
>>>>> Input is:
>>>>>
>>>>> username= itay.sahar@gmial.com
>>>>> value= 6de5ca4f:1254c461110:-7feb:9135486247122677484
>>>>>
>>>>> Output is (this is what actually addCookie get as parameter):
>>>>>
>>>>> 6de5ca4f:1254c461110:-7feb:9135486247122677484
>>>>>
>>>>> Can you suggest solution ?
>>>>>
>>>>> Yep.
>>>>
>>>> You are claiming that you are supplying A & B to the encodeToken
>>>> function,
>>>> but then you are using B as the cookie value.
>>>>
>>>> Try using the value returned from the encodeToken function instead.
>>>> Hint, if it contains a ":" character, it's not Base64 encoded.
>>>>
>>>>
>>>>
>>>> p
>>>>
>>>>
>>>> On Sun, Dec 6, 2009 at 11:28 PM, itay sahar<it...@gmail.com>
>>>> wrote:
>>>>
>>>>> Hi Andre,
>>>>>
>>>>>> please see below input and output of:
>>>>>> protected String encodeToken(String username, String value)
>>>>>> {
>>>>>> StringBuilder sb = new StringBuilder();
>>>>>> sb.append(username);
>>>>>> sb.append(":");
>>>>>> sb.append(value);
>>>>>> return Base64.encodeBytes(sb.toString().getBytes());
>>>>>> }
>>>>>>
>>>>>> Input is:
>>>>>>
>>>>>> username= itay.sahar@gmial.com
>>>>>>
>>>>>> value= 6de5ca4f:1254c461110:-7feb:9135486247122677484
>>>>>>
>>>>>>
>>>>>> Output is:
>>>>>>
>>>>>>
>>>>>>
>>>>>> aXRheS5zYWhhckBnbWFpbC5jb206NmRlNWNhNGY6MTI1NGM0NjExMTA6LTdmZWI6OTEzNTQ4NjI0
>>>>>>
>>>>>>
>>>>>>
>>>>>> Can you suggest solution ?
>>>>>>
>>>>>> On Sat, Dec 5, 2009 at 6:20 PM, André Warnier<aw...@ice-sa.com> wrote:
>>>>>>
>>>>>> Mark Thomas wrote:
>>>>>>
>>>>>>> itay sahar wrote:
>>>>>>>
>>>>>>>> Caused by: java.lang.IllegalArgumentException: Control character in
>>>>>>>>
>>>>>>>>> cookie
>>>>>>>>> value, consider BASE64 encoding your value
>>>>>>>>> at
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> org.apache.tomcat.util.http.ServerCookie.maybeQuote2(ServerCookie.java:396)
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> To cause this, there must be a character in the value with an
>>>>>>>> ASCII
>>>>>>>> code
>>>>>>>> of less than 0x20 or greater or equal to 0x7f and is not 0x09.
>>>>>>>>
>>>>>>>> You need to fix that first.
>>>>>>>>
>>>>>>>> Then you'll need to worry about Base64 using '=' in cookie values.
>>>>>>>> The
>>>>>>>> value needs to be quoted for this to work. Tomcat will do this
>>>>>>>> automatically if necessary.
>>>>>>>>
>>>>>>>>
>>>>>>>> Mark above is talking about the output value of the Base64 encoder
>>>>>>>>
>>>>>>> which
>>>>>>> you are using, and which you then feed to the
>>>>>>> response.addCookie(cookie)
>>>>>>> method.
>>>>>>>
>>>>>>> It is not clear (to me) where the used Base64.encodeBytes() method
>>>>>>> comes
>>>>>>> from. But wherever it comes from, it should encode any input series
>>>>>>> of
>>>>>>> bytes according to
>>>>>>> http://tools.ietf.org/html/rfc3548#section-3
>>>>>>> which cannot produce "control characters".
>>>>>>> Except that some Base64 encoders, in some cases, will "wrap" the
>>>>>>> output
>>>>>>> string at 76 bytes, by inserting a CR/LF pair, which are both
>>>>>>> "control
>>>>>>> characters". (Note that the output string of Base64 is longer than
>>>>>>> the
>>>>>>> input string, since it encodes 3 consecutive input bytes into 4
>>>>>>> output
>>>>>>> bytes.)
>>>>>>> My guess is that this is what happens here, and that could trigger
>>>>>>> the
>>>>>>> exception above.
>>>>>>> Maybe this Base64.encodeBytes() method has an optional argument which
>>>>>>> would tell it to not wrap the output value ?
>>>>>>>
>>>>>>> Note also that with the code you were showing, the control
>>>>>>> character(s)
>>>>>>> could presumably be also in "cookiePath".
>>>>>>>
>>>>>>> Why do you not log the cookie value, just before you call
>>>>>>> setCookieValueIfEnabled(String value) ?
>>>>>>>
>>>>>>>
>>>>>>> ---------------------------------------------------------------------
>>>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>
>>>>
>>>>
>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>
Re: Control character in cookie value
Posted by itay sahar <it...@gmail.com>.
Thanks André,
*
*
*I agree with you about the doubt you have about the ":" being in C (after
encoding).*
return Base64.encodeBytes(sb.toString().getBytes());
*I guess you suggest to log somthing like *
*(new String(C)).getBytes ? If yes I post it here later. I hope you can then
suggest somthing to sove this.*
On Mon, Dec 7, 2009 at 1:57 PM, André Warnier <aw...@ice-sa.com> wrote:
> itay sahar wrote:
>
>> Pid,
>> I'm not using B as the cookie value. A & B go to encode and finally you
>> have *one *value(C). this value
>> is sent to addCookie.
>>
>> C is somthing like:
>>
>> aXRheS5zYWhhckBnbWFpbC5jb206NmRlNWNhNGY6MTI1NGM0NjExMTA6LTdmZWI6OTEzNTQ4NjI0
>>
>
> Ok, let's take this at face value.
>
> So yet, you are still getting an exception, which says that there is a
> "control character" in the value of the cookie which you are trying to add.
>
> Let's assume for now that the addCookie method itself has no bug, and that
> what it says in the exception is the truth.
>
> It also does not look (in these email communications), as if your value C
> above has a "control character" in it.
>
> (But note : there still could be one, that we do not see here in these
> emails. For example, if the value C above was in reality ending in a CR/LF
> pair. Apart from the string C itself above, you should maybe also log its
> length in bytes, so that we can really make sure that this is not the case).
>
> Then, if I remember well the code which really adds the cookie (and which
> is not the one shown below), independently of the "value", there is also in
> these cookies an expiration date, and a path, which you add to the cookie
> string one by one.
> So really, when you do the addCookie, what you do is creating a cookie
> header which looks like :
> Set-Cookie: cookie-name=cookie-value(C);expires=somedate;path=somepath
>
> Any one of "somedate" or "somepath" could (potentially) contain a control
> character, and the exception would only show up when you actually do the
> addCookie() of the whole value (including expiration date and path) at once.
>
>
>
>
>
>
>> On Mon, Dec 7, 2009 at 12:16 PM, Pid <pi...@pidster.com> wrote:
>>
>> On 06/12/2009 21:51, itay sahar wrote:
>>>
>>> Hi Andre,
>>>>
>>>> please see below input and output of:
>>>> protected String encodeToken(String username, String value)
>>>> {
>>>> StringBuilder sb = new StringBuilder();
>>>> sb.append(username);
>>>> sb.append(":");
>>>> sb.append(value);
>>>> return Base64.encodeBytes(sb.toString().getBytes());
>>>> }
>>>>
>>>> Input is:
>>>>
>>>> username= itay.sahar@gmial.com
>>>> value= 6de5ca4f:1254c461110:-7feb:9135486247122677484
>>>>
>>>> Output is (this is what actually addCookie get as parameter):
>>>>
>>>> 6de5ca4f:1254c461110:-7feb:9135486247122677484
>>>>
>>>> Can you suggest solution ?
>>>>
>>>> Yep.
>>>
>>> You are claiming that you are supplying A & B to the encodeToken
>>> function,
>>> but then you are using B as the cookie value.
>>>
>>> Try using the value returned from the encodeToken function instead.
>>> Hint, if it contains a ":" character, it's not Base64 encoded.
>>>
>>>
>>>
>>> p
>>>
>>>
>>> On Sun, Dec 6, 2009 at 11:28 PM, itay sahar<it...@gmail.com>
>>> wrote:
>>>
>>>> Hi Andre,
>>>>
>>>>> please see below input and output of:
>>>>> protected String encodeToken(String username, String value)
>>>>> {
>>>>> StringBuilder sb = new StringBuilder();
>>>>> sb.append(username);
>>>>> sb.append(":");
>>>>> sb.append(value);
>>>>> return Base64.encodeBytes(sb.toString().getBytes());
>>>>> }
>>>>>
>>>>> Input is:
>>>>>
>>>>> username= itay.sahar@gmial.com
>>>>>
>>>>> value= 6de5ca4f:1254c461110:-7feb:9135486247122677484
>>>>>
>>>>>
>>>>> Output is:
>>>>>
>>>>>
>>>>>
>>>>> aXRheS5zYWhhckBnbWFpbC5jb206NmRlNWNhNGY6MTI1NGM0NjExMTA6LTdmZWI6OTEzNTQ4NjI0
>>>>>
>>>>>
>>>>>
>>>>> Can you suggest solution ?
>>>>>
>>>>> On Sat, Dec 5, 2009 at 6:20 PM, André Warnier<aw...@ice-sa.com> wrote:
>>>>>
>>>>> Mark Thomas wrote:
>>>>>
>>>>>> itay sahar wrote:
>>>>>>
>>>>>>> Caused by: java.lang.IllegalArgumentException: Control character in
>>>>>>>
>>>>>>>> cookie
>>>>>>>> value, consider BASE64 encoding your value
>>>>>>>> at
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> org.apache.tomcat.util.http.ServerCookie.maybeQuote2(ServerCookie.java:396)
>>>>>>>>
>>>>>>>>
>>>>>>>> To cause this, there must be a character in the value with an ASCII
>>>>>>> code
>>>>>>> of less than 0x20 or greater or equal to 0x7f and is not 0x09.
>>>>>>>
>>>>>>> You need to fix that first.
>>>>>>>
>>>>>>> Then you'll need to worry about Base64 using '=' in cookie values.
>>>>>>> The
>>>>>>> value needs to be quoted for this to work. Tomcat will do this
>>>>>>> automatically if necessary.
>>>>>>>
>>>>>>>
>>>>>>> Mark above is talking about the output value of the Base64 encoder
>>>>>>>
>>>>>> which
>>>>>> you are using, and which you then feed to the
>>>>>> response.addCookie(cookie)
>>>>>> method.
>>>>>>
>>>>>> It is not clear (to me) where the used Base64.encodeBytes() method
>>>>>> comes
>>>>>> from. But wherever it comes from, it should encode any input series
>>>>>> of
>>>>>> bytes according to
>>>>>> http://tools.ietf.org/html/rfc3548#section-3
>>>>>> which cannot produce "control characters".
>>>>>> Except that some Base64 encoders, in some cases, will "wrap" the
>>>>>> output
>>>>>> string at 76 bytes, by inserting a CR/LF pair, which are both "control
>>>>>> characters". (Note that the output string of Base64 is longer than
>>>>>> the
>>>>>> input string, since it encodes 3 consecutive input bytes into 4 output
>>>>>> bytes.)
>>>>>> My guess is that this is what happens here, and that could trigger the
>>>>>> exception above.
>>>>>> Maybe this Base64.encodeBytes() method has an optional argument which
>>>>>> would tell it to not wrap the output value ?
>>>>>>
>>>>>> Note also that with the code you were showing, the control
>>>>>> character(s)
>>>>>> could presumably be also in "cookiePath".
>>>>>>
>>>>>> Why do you not log the cookie value, just before you call
>>>>>> setCookieValueIfEnabled(String value) ?
>>>>>>
>>>>>>
>>>>>> ---------------------------------------------------------------------
>>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>>
>>>>>>
>>>>>>
>>>>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>>
>>>
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Control character in cookie value
Posted by André Warnier <aw...@ice-sa.com>.
itay sahar wrote:
> Pid,
> I'm not using B as the cookie value. A & B go to encode and finally you
> have *one *value(C). this value
> is sent to addCookie.
>
> C is somthing like:
> aXRheS5zYWhhckBnbWFpbC5jb206NmRlNWNhNGY6MTI1NGM0NjExMTA6LTdmZWI6OTEzNTQ4NjI0
Ok, let's take this at face value.
So yet, you are still getting an exception, which says that there is a
"control character" in the value of the cookie which you are trying to add.
Let's assume for now that the addCookie method itself has no bug, and
that what it says in the exception is the truth.
It also does not look (in these email communications), as if your value
C above has a "control character" in it.
(But note : there still could be one, that we do not see here in these
emails. For example, if the value C above was in reality ending in a
CR/LF pair. Apart from the string C itself above, you should maybe also
log its length in bytes, so that we can really make sure that this is
not the case).
Then, if I remember well the code which really adds the cookie (and
which is not the one shown below), independently of the "value", there
is also in these cookies an expiration date, and a path, which you add
to the cookie string one by one.
So really, when you do the addCookie, what you do is creating a cookie
header which looks like :
Set-Cookie: cookie-name=cookie-value(C);expires=somedate;path=somepath
Any one of "somedate" or "somepath" could (potentially) contain a
control character, and the exception would only show up when you
actually do the addCookie() of the whole value (including expiration
date and path) at once.
>
> On Mon, Dec 7, 2009 at 12:16 PM, Pid <pi...@pidster.com> wrote:
>
>> On 06/12/2009 21:51, itay sahar wrote:
>>
>>> Hi Andre,
>>>
>>> please see below input and output of:
>>> protected String encodeToken(String username, String value)
>>> {
>>> StringBuilder sb = new StringBuilder();
>>> sb.append(username);
>>> sb.append(":");
>>> sb.append(value);
>>> return Base64.encodeBytes(sb.toString().getBytes());
>>> }
>>>
>>> Input is:
>>>
>>> username= itay.sahar@gmial.com
>>> value= 6de5ca4f:1254c461110:-7feb:9135486247122677484
>>>
>>> Output is (this is what actually addCookie get as parameter):
>>>
>>> 6de5ca4f:1254c461110:-7feb:9135486247122677484
>>>
>>> Can you suggest solution ?
>>>
>> Yep.
>>
>> You are claiming that you are supplying A & B to the encodeToken function,
>> but then you are using B as the cookie value.
>>
>> Try using the value returned from the encodeToken function instead.
>> Hint, if it contains a ":" character, it's not Base64 encoded.
>>
>>
>>
>> p
>>
>>
>> On Sun, Dec 6, 2009 at 11:28 PM, itay sahar<it...@gmail.com> wrote:
>>> Hi Andre,
>>>> please see below input and output of:
>>>> protected String encodeToken(String username, String value)
>>>> {
>>>> StringBuilder sb = new StringBuilder();
>>>> sb.append(username);
>>>> sb.append(":");
>>>> sb.append(value);
>>>> return Base64.encodeBytes(sb.toString().getBytes());
>>>> }
>>>>
>>>> Input is:
>>>>
>>>> username= itay.sahar@gmial.com
>>>>
>>>> value= 6de5ca4f:1254c461110:-7feb:9135486247122677484
>>>>
>>>>
>>>> Output is:
>>>>
>>>>
>>>> aXRheS5zYWhhckBnbWFpbC5jb206NmRlNWNhNGY6MTI1NGM0NjExMTA6LTdmZWI6OTEzNTQ4NjI0
>>>>
>>>>
>>>>
>>>> Can you suggest solution ?
>>>>
>>>> On Sat, Dec 5, 2009 at 6:20 PM, André Warnier<aw...@ice-sa.com> wrote:
>>>>
>>>> Mark Thomas wrote:
>>>>> itay sahar wrote:
>>>>>> Caused by: java.lang.IllegalArgumentException: Control character in
>>>>>>> cookie
>>>>>>> value, consider BASE64 encoding your value
>>>>>>> at
>>>>>>>
>>>>>>>
>>>>>>> org.apache.tomcat.util.http.ServerCookie.maybeQuote2(ServerCookie.java:396)
>>>>>>>
>>>>>>>
>>>>>> To cause this, there must be a character in the value with an ASCII
>>>>>> code
>>>>>> of less than 0x20 or greater or equal to 0x7f and is not 0x09.
>>>>>>
>>>>>> You need to fix that first.
>>>>>>
>>>>>> Then you'll need to worry about Base64 using '=' in cookie values. The
>>>>>> value needs to be quoted for this to work. Tomcat will do this
>>>>>> automatically if necessary.
>>>>>>
>>>>>>
>>>>>> Mark above is talking about the output value of the Base64 encoder
>>>>> which
>>>>> you are using, and which you then feed to the response.addCookie(cookie)
>>>>> method.
>>>>>
>>>>> It is not clear (to me) where the used Base64.encodeBytes() method comes
>>>>> from. But wherever it comes from, it should encode any input series of
>>>>> bytes according to
>>>>> http://tools.ietf.org/html/rfc3548#section-3
>>>>> which cannot produce "control characters".
>>>>> Except that some Base64 encoders, in some cases, will "wrap" the output
>>>>> string at 76 bytes, by inserting a CR/LF pair, which are both "control
>>>>> characters". (Note that the output string of Base64 is longer than the
>>>>> input string, since it encodes 3 consecutive input bytes into 4 output
>>>>> bytes.)
>>>>> My guess is that this is what happens here, and that could trigger the
>>>>> exception above.
>>>>> Maybe this Base64.encodeBytes() method has an optional argument which
>>>>> would tell it to not wrap the output value ?
>>>>>
>>>>> Note also that with the code you were showing, the control character(s)
>>>>> could presumably be also in "cookiePath".
>>>>>
>>>>> Why do you not log the cookie value, just before you call
>>>>> setCookieValueIfEnabled(String value) ?
>>>>>
>>>>>
>>>>> ---------------------------------------------------------------------
>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>
>>>>>
>>>>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Control character in cookie value
Posted by itay sahar <it...@gmail.com>.
Pid,
I'm not using B as the cookie value. A & B go to encode and finally you
have *one *value(C). this value
is sent to addCookie.
C is somthing like:
aXRheS5zYWhhckBnbWFpbC5jb206NmRlNWNhNGY6MTI1NGM0NjExMTA6LTdmZWI6OTEzNTQ4NjI0
On Mon, Dec 7, 2009 at 12:16 PM, Pid <pi...@pidster.com> wrote:
> On 06/12/2009 21:51, itay sahar wrote:
>
>> Hi Andre,
>>
>> please see below input and output of:
>> protected String encodeToken(String username, String value)
>> {
>> StringBuilder sb = new StringBuilder();
>> sb.append(username);
>> sb.append(":");
>> sb.append(value);
>> return Base64.encodeBytes(sb.toString().getBytes());
>> }
>>
>> Input is:
>>
>> username= itay.sahar@gmial.com
>> value= 6de5ca4f:1254c461110:-7feb:9135486247122677484
>>
>> Output is (this is what actually addCookie get as parameter):
>>
>> 6de5ca4f:1254c461110:-7feb:9135486247122677484
>>
>> Can you suggest solution ?
>>
>
> Yep.
>
> You are claiming that you are supplying A & B to the encodeToken function,
> but then you are using B as the cookie value.
>
> Try using the value returned from the encodeToken function instead.
> Hint, if it contains a ":" character, it's not Base64 encoded.
>
>
>
> p
>
>
> On Sun, Dec 6, 2009 at 11:28 PM, itay sahar<it...@gmail.com> wrote:
>>
>> Hi Andre,
>>>
>>> please see below input and output of:
>>> protected String encodeToken(String username, String value)
>>> {
>>> StringBuilder sb = new StringBuilder();
>>> sb.append(username);
>>> sb.append(":");
>>> sb.append(value);
>>> return Base64.encodeBytes(sb.toString().getBytes());
>>> }
>>>
>>> Input is:
>>>
>>> username= itay.sahar@gmial.com
>>>
>>> value= 6de5ca4f:1254c461110:-7feb:9135486247122677484
>>>
>>>
>>> Output is:
>>>
>>>
>>> aXRheS5zYWhhckBnbWFpbC5jb206NmRlNWNhNGY6MTI1NGM0NjExMTA6LTdmZWI6OTEzNTQ4NjI0
>>>
>>>
>>>
>>> Can you suggest solution ?
>>>
>>> On Sat, Dec 5, 2009 at 6:20 PM, André Warnier<aw...@ice-sa.com> wrote:
>>>
>>> Mark Thomas wrote:
>>>>
>>>> itay sahar wrote:
>>>>>
>>>>> Caused by: java.lang.IllegalArgumentException: Control character in
>>>>>> cookie
>>>>>> value, consider BASE64 encoding your value
>>>>>> at
>>>>>>
>>>>>>
>>>>>> org.apache.tomcat.util.http.ServerCookie.maybeQuote2(ServerCookie.java:396)
>>>>>>
>>>>>>
>>>>> To cause this, there must be a character in the value with an ASCII
>>>>> code
>>>>> of less than 0x20 or greater or equal to 0x7f and is not 0x09.
>>>>>
>>>>> You need to fix that first.
>>>>>
>>>>> Then you'll need to worry about Base64 using '=' in cookie values. The
>>>>> value needs to be quoted for this to work. Tomcat will do this
>>>>> automatically if necessary.
>>>>>
>>>>>
>>>>> Mark above is talking about the output value of the Base64 encoder
>>>> which
>>>> you are using, and which you then feed to the response.addCookie(cookie)
>>>> method.
>>>>
>>>> It is not clear (to me) where the used Base64.encodeBytes() method comes
>>>> from. But wherever it comes from, it should encode any input series of
>>>> bytes according to
>>>> http://tools.ietf.org/html/rfc3548#section-3
>>>> which cannot produce "control characters".
>>>> Except that some Base64 encoders, in some cases, will "wrap" the output
>>>> string at 76 bytes, by inserting a CR/LF pair, which are both "control
>>>> characters". (Note that the output string of Base64 is longer than the
>>>> input string, since it encodes 3 consecutive input bytes into 4 output
>>>> bytes.)
>>>> My guess is that this is what happens here, and that could trigger the
>>>> exception above.
>>>> Maybe this Base64.encodeBytes() method has an optional argument which
>>>> would tell it to not wrap the output value ?
>>>>
>>>> Note also that with the code you were showing, the control character(s)
>>>> could presumably be also in "cookiePath".
>>>>
>>>> Why do you not log the cookie value, just before you call
>>>> setCookieValueIfEnabled(String value) ?
>>>>
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>
>>>>
>>>>
>>>
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Control character in cookie value
Posted by Pid <pi...@pidster.com>.
On 06/12/2009 21:51, itay sahar wrote:
> Hi Andre,
>
> please see below input and output of:
> protected String encodeToken(String username, String value)
> {
> StringBuilder sb = new StringBuilder();
> sb.append(username);
> sb.append(":");
> sb.append(value);
> return Base64.encodeBytes(sb.toString().getBytes());
> }
>
> Input is:
>
> username= itay.sahar@gmial.com
> value= 6de5ca4f:1254c461110:-7feb:9135486247122677484
>
> Output is (this is what actually addCookie get as parameter):
>
> 6de5ca4f:1254c461110:-7feb:9135486247122677484
>
> Can you suggest solution ?
Yep.
You are claiming that you are supplying A & B to the encodeToken
function, but then you are using B as the cookie value.
Try using the value returned from the encodeToken function instead.
Hint, if it contains a ":" character, it's not Base64 encoded.
p
> On Sun, Dec 6, 2009 at 11:28 PM, itay sahar<it...@gmail.com> wrote:
>
>> Hi Andre,
>>
>> please see below input and output of:
>> protected String encodeToken(String username, String value)
>> {
>> StringBuilder sb = new StringBuilder();
>> sb.append(username);
>> sb.append(":");
>> sb.append(value);
>> return Base64.encodeBytes(sb.toString().getBytes());
>> }
>>
>> Input is:
>>
>> username= itay.sahar@gmial.com
>>
>> value= 6de5ca4f:1254c461110:-7feb:9135486247122677484
>>
>>
>> Output is:
>>
>> aXRheS5zYWhhckBnbWFpbC5jb206NmRlNWNhNGY6MTI1NGM0NjExMTA6LTdmZWI6OTEzNTQ4NjI0
>>
>>
>>
>> Can you suggest solution ?
>>
>> On Sat, Dec 5, 2009 at 6:20 PM, André Warnier<aw...@ice-sa.com> wrote:
>>
>>> Mark Thomas wrote:
>>>
>>>> itay sahar wrote:
>>>>
>>>>> Caused by: java.lang.IllegalArgumentException: Control character in
>>>>> cookie
>>>>> value, consider BASE64 encoding your value
>>>>> at
>>>>>
>>>>> org.apache.tomcat.util.http.ServerCookie.maybeQuote2(ServerCookie.java:396)
>>>>>
>>>>
>>>> To cause this, there must be a character in the value with an ASCII code
>>>> of less than 0x20 or greater or equal to 0x7f and is not 0x09.
>>>>
>>>> You need to fix that first.
>>>>
>>>> Then you'll need to worry about Base64 using '=' in cookie values. The
>>>> value needs to be quoted for this to work. Tomcat will do this
>>>> automatically if necessary.
>>>>
>>>>
>>> Mark above is talking about the output value of the Base64 encoder which
>>> you are using, and which you then feed to the response.addCookie(cookie)
>>> method.
>>>
>>> It is not clear (to me) where the used Base64.encodeBytes() method comes
>>> from. But wherever it comes from, it should encode any input series of
>>> bytes according to
>>> http://tools.ietf.org/html/rfc3548#section-3
>>> which cannot produce "control characters".
>>> Except that some Base64 encoders, in some cases, will "wrap" the output
>>> string at 76 bytes, by inserting a CR/LF pair, which are both "control
>>> characters". (Note that the output string of Base64 is longer than the
>>> input string, since it encodes 3 consecutive input bytes into 4 output
>>> bytes.)
>>> My guess is that this is what happens here, and that could trigger the
>>> exception above.
>>> Maybe this Base64.encodeBytes() method has an optional argument which
>>> would tell it to not wrap the output value ?
>>>
>>> Note also that with the code you were showing, the control character(s)
>>> could presumably be also in "cookiePath".
>>>
>>> Why do you not log the cookie value, just before you call
>>> setCookieValueIfEnabled(String value) ?
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>>
>>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Control character in cookie value
Posted by itay sahar <it...@gmail.com>.
Hi Andre,
please see below input and output of:
protected String encodeToken(String username, String value)
{
StringBuilder sb = new StringBuilder();
sb.append(username);
sb.append(":");
sb.append(value);
return Base64.encodeBytes(sb.toString().getBytes());
}
Input is:
username= itay.sahar@gmial.com
value= 6de5ca4f:1254c461110:-7feb:9135486247122677484
Output is (this is what actually addCookie get as parameter):
6de5ca4f:1254c461110:-7feb:9135486247122677484
Can you suggest solution ?
On Sun, Dec 6, 2009 at 11:28 PM, itay sahar <it...@gmail.com> wrote:
> Hi Andre,
>
> please see below input and output of:
> protected String encodeToken(String username, String value)
> {
> StringBuilder sb = new StringBuilder();
> sb.append(username);
> sb.append(":");
> sb.append(value);
> return Base64.encodeBytes(sb.toString().getBytes());
> }
>
> Input is:
>
> username= itay.sahar@gmial.com
>
> value= 6de5ca4f:1254c461110:-7feb:9135486247122677484
>
>
> Output is:
>
> aXRheS5zYWhhckBnbWFpbC5jb206NmRlNWNhNGY6MTI1NGM0NjExMTA6LTdmZWI6OTEzNTQ4NjI0
>
>
>
> Can you suggest solution ?
>
> On Sat, Dec 5, 2009 at 6:20 PM, André Warnier <aw...@ice-sa.com> wrote:
>
>> Mark Thomas wrote:
>>
>>> itay sahar wrote:
>>>
>>>> Caused by: java.lang.IllegalArgumentException: Control character in
>>>> cookie
>>>> value, consider BASE64 encoding your value
>>>> at
>>>>
>>>> org.apache.tomcat.util.http.ServerCookie.maybeQuote2(ServerCookie.java:396)
>>>>
>>>
>>> To cause this, there must be a character in the value with an ASCII code
>>> of less than 0x20 or greater or equal to 0x7f and is not 0x09.
>>>
>>> You need to fix that first.
>>>
>>> Then you'll need to worry about Base64 using '=' in cookie values. The
>>> value needs to be quoted for this to work. Tomcat will do this
>>> automatically if necessary.
>>>
>>>
>> Mark above is talking about the output value of the Base64 encoder which
>> you are using, and which you then feed to the response.addCookie(cookie)
>> method.
>>
>> It is not clear (to me) where the used Base64.encodeBytes() method comes
>> from. But wherever it comes from, it should encode any input series of
>> bytes according to
>> http://tools.ietf.org/html/rfc3548#section-3
>> which cannot produce "control characters".
>> Except that some Base64 encoders, in some cases, will "wrap" the output
>> string at 76 bytes, by inserting a CR/LF pair, which are both "control
>> characters". (Note that the output string of Base64 is longer than the
>> input string, since it encodes 3 consecutive input bytes into 4 output
>> bytes.)
>> My guess is that this is what happens here, and that could trigger the
>> exception above.
>> Maybe this Base64.encodeBytes() method has an optional argument which
>> would tell it to not wrap the output value ?
>>
>> Note also that with the code you were showing, the control character(s)
>> could presumably be also in "cookiePath".
>>
>> Why do you not log the cookie value, just before you call
>> setCookieValueIfEnabled(String value) ?
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>
Re: Control character in cookie value
Posted by André Warnier <aw...@ice-sa.com>.
Mark Thomas wrote:
> itay sahar wrote:
>> Caused by: java.lang.IllegalArgumentException: Control character in cookie
>> value, consider BASE64 encoding your value
>> at
>> org.apache.tomcat.util.http.ServerCookie.maybeQuote2(ServerCookie.java:396)
>
> To cause this, there must be a character in the value with an ASCII code
> of less than 0x20 or greater or equal to 0x7f and is not 0x09.
>
> You need to fix that first.
>
> Then you'll need to worry about Base64 using '=' in cookie values. The
> value needs to be quoted for this to work. Tomcat will do this
> automatically if necessary.
>
Mark above is talking about the output value of the Base64 encoder which
you are using, and which you then feed to the response.addCookie(cookie)
method.
It is not clear (to me) where the used Base64.encodeBytes() method comes
from. But wherever it comes from, it should encode any input series of
bytes according to
http://tools.ietf.org/html/rfc3548#section-3
which cannot produce "control characters".
Except that some Base64 encoders, in some cases, will "wrap" the output
string at 76 bytes, by inserting a CR/LF pair, which are both "control
characters". (Note that the output string of Base64 is longer than the
input string, since it encodes 3 consecutive input bytes into 4 output
bytes.)
My guess is that this is what happens here, and that could trigger the
exception above.
Maybe this Base64.encodeBytes() method has an optional argument which
would tell it to not wrap the output value ?
Note also that with the code you were showing, the control character(s)
could presumably be also in "cookiePath".
Why do you not log the cookie value, just before you call
setCookieValueIfEnabled(String value) ?
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Control character in cookie value
Posted by itay sahar <it...@gmail.com>.
Thanks for reply Mark,
So you suggest to change the following method:
protected String encodeToken(String username, String value)
{
StringBuilder sb = new StringBuilder();
sb.append(username);
sb.append(":");
sb.append(value);
return Base64.encodeBytes(sb.toString().getBytes());
Can you suggest a work around for this ?
This code is from seam but i can override a component if not sufficient.
The special characters i have in the specific email address (username is .
and @
But i really need to support all characters that can be applied in email
address.
Thanks!
On Sat, Dec 5, 2009 at 3:37 PM, Mark Thomas <ma...@apache.org> wrote:
> itay sahar wrote:
> > Caused by: java.lang.IllegalArgumentException: Control character in
> cookie
> > value, consider BASE64 encoding your value
> > at
> >
> org.apache.tomcat.util.http.ServerCookie.maybeQuote2(ServerCookie.java:396)
>
> To cause this, there must be a character in the value with an ASCII code
> of less than 0x20 or greater or equal to 0x7f and is not 0x09.
>
> You need to fix that first.
>
> Then you'll need to worry about Base64 using '=' in cookie values. The
> value needs to be quoted for this to work. Tomcat will do this
> automatically if necessary.
>
> Mark
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Control character in cookie value
Posted by Mark Thomas <ma...@apache.org>.
itay sahar wrote:
> Caused by: java.lang.IllegalArgumentException: Control character in cookie
> value, consider BASE64 encoding your value
> at
> org.apache.tomcat.util.http.ServerCookie.maybeQuote2(ServerCookie.java:396)
To cause this, there must be a character in the value with an ASCII code
of less than 0x20 or greater or equal to 0x7f and is not 0x09.
You need to fix that first.
Then you'll need to worry about Base64 using '=' in cookie values. The
value needs to be quoted for this to work. Tomcat will do this
automatically if necessary.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Control character in cookie value
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Itay,
On 12/4/2009 7:41 PM, itay sahar wrote:
> I'm using seam on tomcat 6.0.20 and encounter problem in my security module.
>
> Basically, i try to add cookie with base64 encoding of the username which is
> email address.
> The encoding works and no exception is thrown. But when seam try adding the
> cookie an exception is thrown:
[snip]
> javax.servlet.ServletException: #{identity.login}:
> java.lang.IllegalArgumentException: Control character in cookie value,
> consider BASE64 encoding your value
It looks like you are using an EL expression that either cannot properly
be executed or is not allowed: "#{identity.login}" appears to be your
original code, and not the data you intended to encode.
Are you sure you are looking for the right problem? All the other
messages in this thread refer to "username" and "password" and yet the
error appears to be due to the above value, not the username and password.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkselOIACgkQ9CaO5/Lv0PBtogCeMhu89xqVh8s29FbH5Y0rJd6J
0EkAmwdeMPnlUHzHiPC+Dr2yxyHmHLOP
=9avA
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org